Explore the integration of Extended Verification Module (EVM) with Linux Security Module (LSM) policy in this 34-minute conference talk by Matthew Garrett from Google. Delve into the challenges of securing developer machines and learn how EVM can enhance file integrity verification. Discover the potential of combining EVM with other Linux security mechanisms to grant privileges based on application metadata and signature validity. Examine the complexities of implementing this approach, including considerations for interpreted languages and performance optimization. Gain insights from Garrett's expertise in desktop Linux security as he presents solutions and discusses future possibilities for improving system integrity and security.
Tying EVM into LSM Policy for Enhanced Linux Security
Overview
Syllabus
Intro
How do you secure a fleet of developer machines?
Integrity Measurement Architecture (IMA)
Taking IMA further - Extended Validation Module
EVM wasn't ideally suited for what we wanted
How do we tie these together?
What does it look like?
But what about interpreted languages?
We can add more complexity
But hashing is slow
Summary
Taught by
Linux Foundation
